Outrage over lost patient records at Welsh NHS Trust

A WELSH NHS trust has been criticised after a laptop containing details of about 5,000 patients was stolen.

A WELSH NHS trust has been criticised after a laptop containing details of about 5,000 patients was stolen.

The Information Commissioner’s Office (ICO) has taken action against Abertawe Bro Morgannwg University NHS Trust for breaching the Data Protection Act.

It has ordered the trust, which serves patients in Bridgend, Neath Port Talbot and Swansea, to sign an undertaking to process personal information in line with the Act.

The undertaking includes a pledge to ensure that all data stored on laptops and other devices is encrypted.

The laptop was stolen by an “opportunistic thief” from a management office at Singleton Hospital, in Swansea, in April last year.

It is understood that the computer, which was not encrypted, was taken outside normal working hours.

The laptop contained the names and addresses of some 5,000 hospital patients and, in some cases, confidential medical records.

But despite the theft, the trust said the details were not permanently lost as the files had been backed-up.

Abertawe Bro Morgannwg University NHS Trust, which was formed by the merger of Bro Morgannwg and Swansea NHS Trusts in April 2008, was criticised yesterday by the ICO alongside Tees, Esk & Wear Valleys NHS Foundation Trust, which lost a data stick containing patient information.

Anne Jones, the assistant information commissioner for Wales, said: “Both these cases highlight the importance of implementing the appropriate safeguards to ensure sensitive personal details about patients are processed securely.

“Even though one case involved the theft of a laptop, the data controller – Abertawe Bro Morgannwg University NHS Trust – is responsible for ensuring personal data is adequately protected.

“The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure.

“Abertawe Bro Morgannwg University NHS Trust and Tees, Esk & Wear Valleys NHS Foundation Trust recognise the seriousness of these data losses and have agreed to take immediate remedial action.”

“In addition, documents stored on the hard drive were also password protected.

“We have reviewed security and access to offices. Access to unattended offices has been restricted, logging of access keys has been improved and we have improved alarm systems.

“Of course, patient confidentiality and the security of person-identifiable data is taken extremely seriously.

“To further increase data security, the trust has embarked upon a programme of encrypting all laptops, and this is now nearing completion.

“All staff are instructed not to save sensitive information onto portable devices, and this is part of our IT security policy.”

Other measures to improve data security have also been introduced, including moving any data held on a laptop or PC to a secure network storage area and subsequently deleting the information from the device.

Cardiff Central MP Jenny Willott, who has campaigned against lax government handling of sensitive data, described the revelation as shocking.

The Welsh Liberal Democrat MP said: “It is shocking to have such sensitive information and not to have it encrypted. It shows a complete lack of sensitivity to members of the public who want their personal details to be treated with the utmost security.

“The Government has an appalling record of keeping personal data secure. I would think that the health trust would at least have learned from this and made an attempt to keep data encrypted.”

A Freedom of Information request by Plaid Cymru last year revealed that equipment worth more than £120,000 was stolen from the NHS in Wales.

The items taken ranged from pieces of medical equipment to wheelie bins and even toys, but the most common and expensive thefts from NHS trusts which responded involved IT equipment and desktop and laptop computers.

The news of the missing data is the latest in a long line of data- related bungles, which have threatened the confidentiality and security of thousands across Britain.

In May last year, the medical records of 38,000 NHS patients were revealed to have gone missing. The information, including details of drinking habits, sexual diseases and disabilities, was on a computer disc that vanished en-route to a medical centre.

Only a few months later, sensitive documents containing information about the financial affairs of up to 2,000 people were lost by civil servants at the HM Revenue and Customs offices in Birmingham.

The package contained tax records and included National Insurance numbers and addresses.

In November 2007, two computer discs holding the personal details of all families in the UK with a child under 16 vanished.

The Child Benefit data on them included names, addresses, dates of birth, National Insurance numbers and bank details of 25 million people.

WalesOnline is part of Media Wales, publisher of the Western Mail, South Wales Echo, Wales on Sunday and the seven Celtic weekly titles, offering you unique access to our audience across Wales online and in print.